In this article

Out-of-date ActiveX control blocking

In this article

Applies to:

Windows 10

Windows 8.1

Windows 7

Windows Server 2012 R2

Windows Server 2008 R2 with Service Pack 1 (SP1)

Windows Vista SP2

ActiveX controls are small apps that let websites provide content, like videos, games, and let you interact with content like toolbars. Unfortunately, because many ActiveX controls aren’t automatically updated, they can become outdated as new versions are released. It’s very important that you keep your ActiveX controls up-to-date because malicious software (or malware) can target security flaws in outdated controls, damaging your computer by collecting info from it, installing unwanted software, or by letting someone else control it remotely. To help avoid this situation, Internet Explorer includes a new security feature, called out-of-date ActiveX control blocking.

Out-of-date ActiveX control blocking lets you:

Know when IE prevents a webpage from loading common, but outdated ActiveX controls.

Interact with other parts of the webpage that aren’t affected by the outdated control.

Update the outdated control, so that it’s up-to-date and safer to use.

The out-of-date ActiveX control blocking feature works with all Security Zones, except the Local Intranet Zone and the Trusted Sites Zone.

It also works with these operating system and IE combinations:

Windows operating system

IE version

Windows 10

All supported versions of IE.Microsoft Edge doesn't support ActiveX controls.

What does the out-of-date ActiveX control blocking notification look like?

When IE blocks an outdated ActiveX control, you’ll see a notification bar similar to this, depending on your version of IE:

Internet Explorer 9 through Internet Explorer 11

Windows Internet Explorer 8

Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE:

How do I fix an outdated ActiveX control or app?

From the notification about the outdated ActiveX control, you can go to the control’s website to download its latest version.

To get the updated ActiveX control

From the notification bar, tap or click Update.

IE opens the ActiveX control’s website.

Download the latest version of the control.

Security Note:If you don’t fully trust a site, you shouldn’t allow it to load an outdated ActiveX control. However, although we don’t recommend it, you can view the missing webpage content by tapping or clicking Run this time. This option runs the ActiveX control without updating or fixing the problem. The next time you visit a webpage running the same outdated ActiveX control, you’ll get the notification again.

To get the updated app

From the security warning, tap or click Update link.

IE opens the app’s website.

Download the latest version of the app.

Security Note:If you don’t fully trust a site, you shouldn’t allow it to launch an outdated app. However, although we don’t recommend it, you can let the webpage launch the app by tapping or clicking Allow. This option opens the app without updating or fixing the problem. The next time you visit a webpage running the same outdated app, you’ll get the notification again.

How does IE decide which ActiveX controls to block?

IE uses Microsoft’s versionlist.xml or versionlistWin7.xml file to determine whether an ActiveX control should be stopped from loading. These files are updated with newly-discovered out-of-date ActiveX controls, which IE automatically downloads to your local copy of the file.

You can see your copy of the file here %LOCALAPPDATA%\Microsoft\Internet Explorer\VersionManager\versionlist.xml or you can view Microsoft’s version, based on your operating system and version of IE, here:

Security Note:Although we strongly recommend against it, if you don’t want your computer to automatically download the updated version list from Microsoft, run the following command from a command prompt:

Turning off this automatic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls, potentially compromising the security of your computer. Use this configuration option at your own risk.

Group Policy settings

Here’s a list of the new Group Policy info, including the settings, location, requirements, and Help text strings. All of these settings can be set in either the Computer Configuration or User Configuration scope, but Computer Configuration takes precedence over User Configuration.

Important
Out-of-date ActiveX control blocking is turned off in the Local Intranet Zone and the Trusted Sites Zone; therefore, intranet websites and line-of-business apps will continue to use out-of-date ActiveX controls without disruption.

If you enable this setting, IE logs ActiveX control information (including the source URI that loaded the control and whether it was blocked) to a local file.

If you disable or don't configure this setting, IE won't log ActiveX control information.

Note that you can turn this setting on or off regardless of the Turn off blocking of outdated ActiveX controls for IE or Turn off blocking of outdated ActiveX controls for IE on specific domains settings.

This setting allows you stop users from seeing the Run this time button and from running specific outdated ActiveX controls in IE.

If you enable this setting, users won't see the Run this time button on the warning message that appears when IE blocks an outdated ActiveX control.

If you disable or don't configure this setting, users will see the Run this time button on the warning message that appears when IE blocks an outdated ActiveX control. Clicking this button lets the user run the outdated ActiveX control once.

Turn off blocking of outdated ActiveX controls for IE on specific domains

Inventory your ActiveX controls

You can inventory the ActiveX controls being used in your company, by turning on the Turn on ActiveX control logging in IE setting:

Windows 10: Through a comma-separated values (.csv) file or through a local Windows Management Instrumentation (WMI) class.

All other versions of Microsoft Windows: Through a .csv file only.

Inventory your ActiveX controls by using a .CSV file

If you decide to inventory the ActiveX controls being used in your company by turning on the Turn on ActiveX control logging in IE setting, IE logs the ActiveX control information to the %LOCALAPPDATA%\Microsoft\Internet Explorer\AuditMode\VersionAuditLog.csv file.

Here’s a detailed example and description of what’s included in the VersionAuditLog.csv file.

Source URI

File path

Product version

File version

Allowed/Blocked

Reason

EPM-compatible

https://contoso.com/test1.html

C:\Windows\System32\Macromed\Flash\Flash.ocx

14.0.0.125

14.0.0.125

Allowed

Not in blocklist

EPM-compatible

https://contoso.com/test2.html

C:\Program Files\Java\jre6\bin\jp2iexp.dll

6.0.410.2

6.0.410.2

Blocked

Out of date

Not EPM-compatible

Where:

Source URI. The URL of the page that loaded the ActiveX control.

File path. The location of the binary that implements the ActiveX control.

Product version. The product version of the binary that implements the ActiveX control.

File version. The file version of the binary that implements the ActiveX control.

NoteEnhanced Protected Mode isn’t supported on Internet Explorer 9 or earlier versions of IE. Therefore, if you’re using Internet Explorer 8 or Internet Explorer 9, all ActiveX controls will always be marked as not EPM-compatible.

Reason. The ActiveX control can be blocked or allowed for any of these reasons:

Reason

Corresponds to

Description

Version not in blocklist

Allowed

The version of the loaded ActiveX control is explicitly allowed by the IE version list.

Trusted domain

Allowed

The ActiveX control was loaded on a domain listed in the Turn off blocking of outdated ActiveX controls for IE on specific domains setting.

File doesn’t exist

Allowed

The loaded ActiveX control is missing required binaries to run correctly.

Out-of-date

Blocked

The loaded ActiveX control is explicitly blocked by the IE version list because it is out-of-date.

Not in blocklist

Allowed

The loaded ActiveX control isn’t in the IE version list.

Managed by policy

Allowed

The loaded ActiveX control is managed by a Group Policy setting that isn’t listed here, and will be managed in accordance with that Group Policy setting.

Trusted Site Zone or intranet

Allowed

The ActiveX control was loaded in the Trusted Sites Zone or the Local Intranet Zone.

Hardblocked

Blocked

The loaded ActiveX control is blocked in IE because it contains known security vulnerabilities.

Unknown

Allowed or blocked

None of the above apply.

Inventory your ActiveX controls by using a local WMI class

For Windows 10 you also have the option to log your inventory info to a local WMI class. Info logged to this class includes all of info you get from the .csv file, plus the CLSID of the loaded ActiveX control or the name of any apps started from an ActiveX control.

The inventory info appears in the WMI class, IEAXControlBlockingAuditInfo, located in the WMI namespace, root\cimv2\IETelemetry. To collect the inventory info from your client computers, we recommend using System Center 2012 R2 Configuration Manager or any agent that can access the WMI data. For more info, see Collect data using Enterprise Site Discovery.

Feedback

We'd love to hear your thoughts. Choose the type you'd like to provide: